summaryrefslogtreecommitdiff
path: root/sandboxlib
Commit message (Collapse)AuthorAgeFilesLines
* Patch for : No section: 'formatters'leeming/bwrap-rebase-patchAndrew Leeming2016-10-211-0/+37
| | | | Config file was missing from staged files
* Bubblewrap is the default for executor_for_platform()leeming/bwrap-rebaseAndrew Leeming2016-10-213-22/+39
| | | | | | | | Previously executor_for_platform() would select linux-user-chroot if availble. New behaviour is to look for bubblewrap first, then linux-user-chroot, else falling back to chroot. To support this, a generic 'get_program()' function was added to both bubblewrap.py and linux_user_chroot.py for interfacing.
* Rebasing bubblewrap branch with master.Andrew Leeming2016-10-133-2/+299
| | | | | Adds in support for the bubblewrap sandbox. Comes with a logger that logs both to stdout (WARN or higher) and to a log file (everything)
* Add a couple more teststiagogomes/unit-test-fixesTiago Gomes2016-10-061-3/+3
| | | | Also fix a small error detected by the new tests.
* Avoid attempt to load string-escape with Python 3Tiago Gomes2016-10-061-5/+9
| | | | This module is not included in Python 3.
* Fix unit testsTiago Gomes2016-10-062-3/+8
| | | | | | | | | | | | - Fix missing source argument in the 'mount' command. - Add missing datapath assigment to ensure that file is created in the expected location. - Remove unnecessary extra_mounts that were causing the test files in /data to not be accessible inside the sandbox as that directory was being overlapped with a mount bind. Also, mention that the C library static libraries are required to be installed for running the tests.
* Fixed a minor bug with root loggerleeming/root-logger-fixAndrew Leeming2016-08-233-3/+3
| | | | If the root logger is used instead of a named 'sandboxlib' logger. This causes potential issues for 3rd party tools using this library
* Issue 19 and 17: Awful hack to ensure string-escape is loadedTristan Van Berkom2016-06-131-0/+9
| | | | | | | This hack ensures that when propagating an exception back from the child process in a chroot, the required string-escape python module is already in memory and no attempt to lazy load it in the chroot is made.
* Propagate child process traceback from chroot process.Tristan Van Berkom2016-06-111-6/+6
| | | | | | | Without propagating the traceback for the child, issues such as the following become near impossible to diagnose: https://github.com/devcurmudgeon/ybd/issues/224
* sandboxlib.chroot: Don't attempt to unmount remount mountsRichard Maw2015-11-211-1/+2
| | | | | | | | | | | The mount operation is overloaded to also remount to change flags. This does not result in a new mount, so unmounting it is the wrong thing to do in this case. For now, we assume that we're modifying a mount we created earlier, so we can just avoid unmounting when we remount, rather than having to determine how to reverse the changing of flags.
* sandboxlib.linux_user_chroot: Allow manually specified read-only mountsRichard Maw2015-11-211-0/+8
| | | | | | | | | | | | You can't create a bind-mount as read-only, you can only bind-mount then remount it as read-only. So a sandboxlib user might opt to say it wants to bind something in, then make it read-only, as two separate extra mounts. We can't do this directly with linux-user-chroot, as we are restricted to bind-mounts and making a subtree read-only, but making a subtree read-only is close enough.
* sandboxlib.chroot: Make mount commands nicerRichard Maw2015-11-211-2/+12
| | | | | | It's more natural to not pass -t when bind-mounting, to not pass -o when no options are required, and to not pass the source path when remounting.
* chroot: Capture output of mount/unmount commands0.3.1Sam Thursfield2015-06-171-2/+4
| | | | | This fixes a crash if the command fails, because we would try to decode 'err' but it would be None because output was not being captured.
* Validate extra_mounts a bit more thoroughlySam Thursfield2015-06-171-10/+17
| | | | | | I thought that a typeerror was causing a crash in YBD, but realised it was something else. This commit should still be an improvement, though.
* chroot: Change directory to '/' after calling os.chroot()Sam Thursfield2015-06-171-0/+3
| | | | | | | This fixes https://github.com/CodethinkLabs/sandboxlib/issues/6 where passing a relative path for 'cwd' caused an error. I had assumed that os.chroot() reset the current working directory itself, since the `chroot` program does, but apparently not.
* Allow overriding backend autodetection with SANDBOXLIB_BACKEND variableSam Thursfield2015-06-171-2/+41
| | | | This fixes https://github.com/CodethinkLabs/sandboxlib/issues/3
* linux_user_chroot: Sort --mount-readonly directoriesSam Thursfield2015-06-101-1/+3
| | | | | This should have no effect on behaviour, but makes things slightly more predictable.
* linux_user_chroot: Correct docstringSam Thursfield2015-06-091-5/+1
| | | | The `unshare` and `mount` commands are no longer needed.
* Fix mistake in CAPABILITIES dictsSam Thursfield2015-06-092-2/+2
|
* Fix some mistakes in chroot backendSam Thursfield2015-06-091-4/+5
|
* Validate parameters using CAPABILITIES dict, instead of manuallySam Thursfield2015-06-092-12/+11
|
* Note that chroot backend has been tested on OSX now.Sam Thursfield2015-06-091-7/+2
| | | | | Also, remove a comment that I think is superfluous. Hopefully it's still clear that the chroot backend should work on any POSIX OS.
* Fix executor_for_backend()Sam Thursfield2015-06-091-1/+1
| | | | | It would always pick 'chroot' even when linux-user-chroot was available because I'm dumb.
* Rename sandbox_backend_for_platform() to executor_for_platform()Sam Thursfield2015-06-091-1/+1
| | | | | | The old name might be mistaken for a verb, i.e. "sandbox this backend" or some such thing. Hopefully the new name makes it clearer that it returns an execution backend.
* Replace maximum_possible_isolation() with degrade_config_for_capabilities()Sam Thursfield2015-06-093-42/+51
| | | | | | | | | | | | | | The goal is to be useful for apps which want to be flexible about which backend they use, taking into account that not all backends are capable of the same thing. My idea for degrade_config_for_capabilities() is that the app first defines the sandboxing config they would like to use, and then passes it through degrade_config_for_capabilities(). Any changes made are warned about, because probably the user needs to know if certain security features are being disabled. This commit also adds a CAPABILITIES dict to each backend.
* Fix previous commitSam Thursfield2015-06-081-1/+1
|
* Change how we search for 'linux-user-chroot'Sam Thursfield2015-06-083-24/+61
| | | | | | | | | | | | | First, the user should get better errors now if it is not found: sandboxlib.ProgramNotFound: Did not find 'linux-user-chroot' in PATH. Searched '/sbin:/bin:/usr/sbin:/usr/bin' Second, we explicitly search for the program on each call to run_sandbox() using the same search code used in sandbox_module_for_platform(). This shouldn't change anything, but I think it's better practice to search for the program ourselves than to assume exec('linux-user-chroot') will do the right thing.
* Fix calculating mount point targets.Sam Thursfield2015-06-081-1/+1
|
* Do mounts directly in linux-user-chrootSam Thursfield2015-06-081-75/+91
| | | | | | | | | | | This means the linux_user_chroot backend doesn't depend on 'unshare' and 'mount' any more. This in turn means it can be used by non-root users, in theory. This limits what type of mounts the linux_user_chroot backend can do to 'proc', 'tmpfs' and bind mounts. Adding more types without going back to needing 'root' for this backend will require changing linux-user-chroot itself (or creating a separate setuid helper program).
* linux-user-chroot: Allow None for filesystem_writable_pathsSam Thursfield2015-06-051-1/+1
| | | | Previously only 'none' (as a string) was allowed.
* Fix creating missing mountpoints in linux-user-chroot backend, update docsSam Thursfield2015-06-012-7/+21
| | | | | | | | Creating missing mountpoints is done later now, so that there's less chance of them being created if bad sandbox configuration was passed. The previous code didn't seem work correctly, probably because of Python os.path.join() having the annoying behaviour of deleting all previous path components if it finds one with a preceeding '/'.
* Log the actual commandline being runSam Thursfield2015-05-281-0/+9
| | | | | | This makes it easier to debug problems. The log domain 'sandboxlib' is used, so callers can handle the log messages from 'sandboxlib' however they want using the Python 'logging' API.
* Don't have a 'base' environment, make the caller specify 'env'Sam Thursfield2015-05-284-30/+10
| | | | | | | | | The idea with 'extra_env' was that all 'sandboxlib' sandboxes would have a consistent base environment with standard PATH, etc. But that's not really workable at all, and only PATH actually matters here anyway. Now the caller passes in the entire environment as 'env', 'extra_env' is gone.
* Add support for output redirectionSam Thursfield2015-05-283-42/+96
| | | | | | | | | | I had hoped that we could provide access to a subprocess.Popen() instance directly so users could do whatever they want with the .stdout and .stderr pipes. However, that's not always possible (e.g. the chroot backend can't return the Popen object it creates to the caller, because it's in a different process). The current approach isn't groundbreaking but it is quite simple.
* Add sandbox_module_for_platform() methodSam Thursfield2015-05-281-0/+67
| | | | This decides what is the best module to use on the current platform.
* Fix error when mount type is None (used for bind mounts)Sam Thursfield2015-05-271-0/+2
|
* Add 'filesystem_root' and 'filesystem_writable_paths' settingsSam Thursfield2015-05-273-12/+140
| | | | This is the last bit of API needed to be usable by YBD and Morph.
* Mention 'mounts' in documentation of maximum_possible_isolation()Sam Thursfield2015-05-271-0/+2
|
* chroot: Fix mountingSam Thursfield2015-05-271-33/+35
| | | | | | No need to do mounts inside the process that calls os.chroot(), and in fact it's stupid because there's no guarantee of a /bin/umount existing after we call os.chroot().
* Initial work to allow configuring mount sharing and mountingSam Thursfield2015-05-263-15/+216
| | | | This is far from complete and has probably numerous issues right now.
* Return the exit code, stdout and stderr from run_sandbox()Sam Thursfield2015-05-263-25/+75
| | | | This required a rewrite of the 'chroot' module.
* Let's get some real documentation started.Sam Thursfield2015-05-223-2/+75
|
* Add the ability to isolate the sandbox from the network, or notSam Thursfield2015-05-222-2/+55
| | | | | | | | | | | | | Note that *sharing* the network is a different thing to *choosing not to isolate* the network. The former implies networking will actually work correctly, while the latter only implies that we didn't deliberately break it. So the default network behaviour is 'undefined'. The different backends have different capabilities, so I added a maximum_possible_isolation() method to return whatever is the most isolated configuration that a backend is capable of. I called this function maximum_security() initially, but it doesn't actually guarantee any kind of security at all so that wasn't a good name.
* chroot: Handle failure betterSam Thursfield2015-05-221-4/+12
|
* Add 'cwd' option to run_sandbox() functions.Sam Thursfield2015-05-222-10/+39
| | | | Also, set it correctly when running an App Container image.
* Add linux-user-chroot backend, run-sandbox script, 'appc' loaderSam Thursfield2015-05-225-1/+148
| | | | | This library is now enough to run a very simple App Container image, using either 'chroot' or 'linux-user-chroot'.
* Create a 'sandboxlib' package, rework 'chroot' moduleSam Thursfield2015-05-221-0/+27
Removed the App Container-specific stuff from 'chroot' module, and added a copyright notice.
View Lorry Controller Status